The UK’s Ministry of Defence (MoD) has revealed that hackers gained access to the country’s army recruitment portal in March, prompting authorities to temporarily shut down the platform as a precautionary measure, and launch an investigation into the incident. The data of some army applicants is believed to have been compromised in the breach.
The British army has reverted to using paper and pen for registering recruits and other related activities in the meantime. While the army recruitment portal, called the Defence Recruitment System (DRS), is back online, access is restricted as the external DRS portal remains offline.
Data of 120 Applicants Leaked Online, Method of Breach Unknown
The MoD shut down the DRS in mid-March after the information of 120 applicants was found on sale on the dark web. The UK’s defense ministry is still investigating the method and extent of the attack. The exact point of entry the hackers used to gain access is unclear. There are speculations that the incident was “a low level compromise” and may not involve international actors.
The MoD reportedly decided to shut down the DRS to prevent unauthorized access to its other systems. The DRS is linked with “numerous MoD systems including Joint Personal Admin (JPA) and Training and Finance Management Information System (TAFIMS).”
A source told The Register that the recruits’ data was selling for 1 BTC (approximately $42,733 today).
Army Recruitment Impacted for Over Five Weeks
“Following the compromise of a small selection of recruit data, the army’s online recruitment services were temporarily suspended pending an investigation. This investigation has now concluded allowing some functionality to be restored and applications to be processed,” a spokesperson for the British army said in a statement.
The login page for potential recruits currently displays a message saying “we are currently experiencing technical issues.” It directs candidates looking for updates on the status of their application to call a dedicated number.
UK’s Data Protection Authority Notified
The UK Information Commissioner’s Office (ICO), the official body responsible for data protection in the country, has been notified about the breach.
“After making inquiries and carefully reviewing the information provided, we decided no further action was needed at this time,” an ICO spokesperson told the Guardian.
The UK is not currently fighting in the Russia-Ukraine conflict. However, the country has deployed a growing number of soldiers to Poland and Estonia.
Unfortunately, UK army recruitment numbers have fallen below target over the last few years. In fact, in six out of the eight previous years, the army could not meet its 82,050 official recruitment target. Consequently, it has decided to drop its target to 72,500 by 2025.
The impact of this data breach and system shutdown on the army’s recruitment efforts remains to be seen.